Manage users in the hybrid UI

You first add hybrid users by using the GCP Console. When you do this, the user is granted the same access to all environments in the hybrid-enabled organization. However, you can refine each user's access by using the hybrid UI.

The hybrid UI lets you assign roles to users per environment: you use it to refine each user from having the same role in all environments to assigning a specific role or roles for that user for each environment.

This section describes how to add, change, and remove hybrid users with the hybrid UI.

Add user accounts in the hybrid UI

When you first configure hybrid and create the GCP project to which the hybrid organization is bound, you typically add a couple of users with different roles like Deployer and API Creator. Because these users were defined at the GCP project level, they can access all hybrid environments with that level of access.

By using the hybrid UI, though, you can set roles of existing users at the environment level.

To specify user permissions for a hybrid environment:

  1. Ensure that you have already added the user to the GCP project that you created in Step 2: Create a GCP project. For information on adding users to a GCP project, see Granting, changing, and revoking access to resources.
  2. Open the Apigee hybrid UI in a browser.
  3. Select Admin > Environments > Access in the left navigation menu.
  4. Select the environment name from the drop-down list.

    The UI displays a list of current user accounts and roles for the selected environment:

  5. Click +Grant Access in the upper right.

    The Grant Access to Environment dialog box displays:

  6. Enter the user account’s email address in the first field. This email address is typically one of the following:
    • A Google account (for example, fred@gmail.com). All Gmail accounts are Google accounts, but you can also register email addresses with different domains as Google accounts.
    • A Google Group alias. For example, address@googlegroups.com.
    • A service account. For example, address@example.gserviceaccount.com.
    • A G Suite domain. For example, address@example.com, where example.com is a domain that you used when you signed up for Google Cloud services.
  7. Select a role from the Role drop-down list and click Add. You can add more than one role for each user.
  8. Repeat this process for each environment for which you want to specify the user’s role.
  9. You can remove a user account from an environment using the hybrid UI, but that user account will still have the access that it was granted in the Google Cloud Platform (GCP) Console unless you also remove the user from the Console by default.

    Remove user accounts

    Removing a user at the environment level does not remove the user at the GCP project level. As a result, the user can still access all environments with their GCP project level permissions.

    To revoke the user’s access entirely, you must remove them from the GCP project as described in Revoking Access to Google Cloud Platform.

    To remove a user from an environment:

    1. Open the Apigee hybrid UI in a browser.
    2. Select Admin > Environments > Access in the left navigation menu.
    3. Select the environment name from the drop-down list.

      The UI displays a list of current users for the selected environment.

    4. In the user’s row, click the trash barrel icon.

      The hybrid UI displays a confirmation dialog box:

    5. Click Revoke.

      The hybrid UI removes that user from the environment.

    Change user roles in the hybrid UI

    You can change a user’s role on a per-environment basis by using the hybrid UI. This includes adding additional roles to a user account or removing one or more roles from the user account.

    To change a user’s roles for an environment:

    1. Open the Apigee hybrid UI in a browser.
    2. Select Admin > Environments > Access in the left navigation menu.
    3. Select the environment name from the drop-down list.

      The UI displays a list of current users for the selected environment.

    4. In the user’s row, click the pencil icon.

      The hybrid UI displays the Manage Roles dialog box:

    5. Do one of the following:
      1. To remove a role: Click the X next to that role.
      2. To change a role: Select a new role from the drop-down list of roles.
      3. To add another role: Click Add another role.
    6. Click Apply.

      The hybrid UI applies your changes to the user in that environment.